01 October 2014
2014 National Security Conference at Suntec Singapore Convention & Exhibition Centre – Opening Address by Mr S Iswaran, Minister, Prime Minister’s office, Second Minister for Home Affairs and Trade & Industry
Mr Teo Siong Seng
Chairman, Singapore Business Federation
Leaders of the business community
Ladies and gentlemen
Good morning. I am pleased to join all of you this morning for the 2014 National Security Conference, organised by the Singapore Business Federation (SBF) and supported by the National Security Coordination Secretariat (NSCS) and Infocomm Development Authority of Singapore (IDA). Since 2005, NSC has been organised annually to provide a platform for raising awareness on important issues to help our companies better prepare to deal with evolving security threats. Today’s conference highlights cyber security as a key imperative that businesses need to think about in safeguarding their operations.
2. The theme for this year’s conference “Business Continuity through Cyber Security” is apt given recent incidents of major data breaches reported this year. eBay suffered one of the biggest data breaches yet reported by online retailers. Cyber criminals attacked and gained access to the company’s network and, through it, compromised a database that contained customer names, encrypted passwords, email addresses, phone numbers and dates of birth. The breach is thought to have affected the majority of the company’s 145 million members. Early this year, there was also the case where the personal data of 20 million South Koreans – or 40% of the country’s population – was stolen. It sparked an outrage as worried consumers scrambled to replace compromised credit cards.
Increasing interconnectedness through cyberspace
3. The sheer scale and impact of these incidents underscore the reach of digital technology into virtually every aspect of daily life. We depend on IT for a host of important functions, from social interaction and information-sharing, to banking and commerce and government services like healthcare and transport. This reliance will grow as more businesses and government agencies seek to increase productivity by digitising databases, automating processes, and migrating service delivery to online platforms.
4. A 2013 IDA1 survey revealed that Internet usage among local enterprises was at 86%. The number increases to 100% for companies with 200 or more employees. So the awareness is high. The survey also confirmed that 46% of our local enterprises have a web presence as more businesses adopt internet-based commerce to engage their customers. The message is clear – Internet connectivity is a near universal business tool with deepening and broadening coverage.
5. The very digital technology that has enhanced our connectivity and competitiveness has also rendered us more susceptible to threats from the global virtual environment. The increasing use of the Internet for nearly all business functions – from online customer service portals to technologies such as cloud computing and storage – is transforming existing business processes and increasing the permeability of organisational boundaries. In short, cyber criminals have greater access to a more wired business world. We face a totally different level of threat with information or data becoming an increasingly rich and valuable target.
Evolving cyber threats requires greater vigilance and protection
6. Cyber security is a national security imperative that we need to recognise and be adequately prepared for. Enterprises need to acknowledge the significant risk that cyber attacks pose to their business operations. What’s more, cyber attacks are increasingly targeting small and medium enterprises (SMEs): stealing data, spreading misinformation or disrupting services. A 2014 report released by Verizon listed point-of-sale intrusions, which refers to remote attacks on retail transactions using credit cards, as the primary intrusion vector over the 2011-2013 periods, with small and medium businesses being the most frequent targets2.
7. Cyber attacks are not only becoming more sophisticated but also occurring at a higher frequency. A recent report released by Symantec referred to 2013 as the year of the mega breach with a 62% rise in the total number of breaches3. Closer to home, a recent survey conducted by SBF found that 30% of our local enterprises had been a victim of a cyber attack, most of which took about 1 to 3 days to recover. This underscores the vulnerability of businesses to cyber-attacks. You may recall recent incidents involving two local companies, K Box and M1, which had their customer databases compromised. As a result, personal details of more than 300,000 K Box members were leaked. As for M1, it was in the news after a customer discovered a “security loophole” on its website and used it to access other M1 customers’ personal information.
8. Cyber attacks are increasingly linked to criminal activity as the motivation of cyber criminals shifts from hacking for fame to hacking for financial gains. Last year, for example, seven men were arrested in New York for their role in international cyber attacks that resulted in the theft of more than US$45million across 26 different countries 4 . At home, the Singapore Police Force’s annual crime brief for 2013 cited a clear shift from the physical to the cyber sphere, as crimes in e-commerce surged almost 114% from 2012 5.
9. Cyber criminals have also become more organised with the ability to carry out attacks more quickly and on a larger scale. Targets can range from single websites to systemic attacks on critical information infrastructures, as the Stuxnet worm in 2010 eloquently demonstrated. Cyber incidents reported thus far have demonstrated that perpetrators have the means and capability for both disruptive attacks that impede data transmission (for example DDoS (Distributed denial-of-service) attacks), as well as intrusive attacks that steal confidential information.
10. Against this backdrop of growing sophistication in the cyber security landscape, a 2013 IDA report revealed that while infocomm security adoption continues to be on the rise among local enterprises, only 21% have in place an intrusion detection system to prevent data leakage 6. Thus, more work has to be done in this regard. We must bear in mind that successful attacks on confidential information, such as personal identification, sensitive intellectual property or other custodial data that companies hold but do not own, can cause serious damage to customers and to the business. Non-intrusive attacks like website defacement can damage business reputation and affect consumer confidence, while DDoS attacks that render a business website unavailable for a few hours can clearly compromise financial outcomes.
11. The message should be clear for companies – a lax cyber defence can disrupt business operations, and adversely affect a company’s reputation and bottom line. Cyber security should be a key area of focus for top management and not simply “left to the IT department” or an outsourced contractor. PriceWaterhouseCooper’s 2014 Global State of Security Survey found that the financial costs of cyber security breaches are rising with respondents reporting losses of more than US$10million, an increase of 51% from 2011 7 . In the face of these challenges, companies can and must do more to implement a cyber security strategy that is in tune with the needs and challenges of the current business environment.
Singapore’s response to cyber threats – Roles of Govt and Businesses
12. At the national level, Singapore’s response to cyber threats has been to adopt a collective approach built on strong public-private partnerships. In the public sector, for example, IDA is upgrading the cyber-watch centre to strengthen the government’s detection and analytical capabilities. Sector regulators also work closely with private sector stakeholders on the cyber security of their key IT systems.
13. Public education is an important part of our overall response. One such public education initiative is Governmentware (or GovWare), an annual IT security seminar run by the Ministry of Home Affairs, which took place just last week and focused on collaborative efforts between all stakeholders to bolster security within the national cyber ecosystem. NSCS also undertakes public outreach primarily on the social media platform to raise public awareness of the roles that everyone plays in enhancing cyber security. One example is the Let’s Stand Together movement and Cyber Shock in Oct 2013, which demonstrated how vulnerabilities and a lack of security consciousness in cyber space can have major disruptive impacts on the physical world.
14. The Cyber Security Awareness Alliance, formed in 2008, also leverages the diverse strengths and resources of its members from across the public, private and people sectors, to promote good cyber security practices among individuals and businesses. The gosafeonline.sg portal, National Infocomms Security Competition, and Infocomm Security Seminar are all well received initiatives that have been co-organised by the Cyber Security Awareness Alliance.
15. The Government will continue to support our businesses to enhance their cyber security awareness and systems. For example, IDA has organised the Cyber Security Business Exchange in conjunction with today’s conference. This Exchange provides businesses with information on good infocomm security practices, and cyber security threats that their organisations may encounter.
16. IDA will start a trial of the Infocomm Security Starter Kit (ISSK) to promote the adoption of infocomm security measures among organisations, especially SMEs, at the Business Exchange. The ISSK is an online self-help tool that businesses can use to assess their organisation’s IT security plans, IT infrastructure setup, as well as security policies and governance. Kiosks have been set up for participants to access the ISSK to profile their organisations. There will also be a security clinic, where IT security consultants will be on hand to provide advice to organisations on the cyber security measures to adopt, based on the profiling report generated by the ISSK. Beyond today’s conference, companies can approach the SME Infocomm Resource Centre (SIRC) to access the ISSK for free. Do give it a try later and give your feedback so that the eventual version of the ISSK, which will be launched by the end of next month, will be a reliable and useful tool for companies as part of their cyber incident preparation, mitigation, response and recovery plans.
Cyber Security BCP makes good business sense
17. While the Government continues to work on initiatives to enhance our nation’s cyber-security, business continuity plans (BCP) are a key part of the strategy to ensure that businesses can overcome cyber threats. BCPs allow businesses to take a disciplined approach in thinking about the core activities which they need to protect, and the cyber security regimes that need to be implemented. Cyber crime’s economic impact can come in the form of financial losses, but also through intangible means such as through the theft of intellectual property and consequent damage to the pace of innovation in individual companies, in the industry, and for the nation as a whole. McAfee and the US Center for Strategic and International Studies (CSIS)’ 2014 report on the global cost of cyber crime estimate that 0.41% of Singapore’s GDP (or almost SGD 1.5 billion) is lost to cyber crime. Therefore, there are good reasons for BCPs to include processes for computer security, downloads, and backups in order to secure critical technologies and communications networks. On this front, SPRING Singapore’s Capability Development Grant (CDG) Scheme will continue to strengthen enterprise business resilience through its support for enterprises to adopt BCM. SPRING will also support enterprises who adopt international information security management system, or ISO 27001 certification. SBF, as the National Business Continuity Management (BCM) Focal Point, will also work with various industry partners and government agencies to help local enterprises enhance their capabilities in risk and resilience management.
18. While my focus thus far has been on the risks posed by cyber threats, it is not all doom and gloom. There are significant business opportunities in cyber security. There are clear advantages for companies who can create end-to-end customer experiences that are both convenient and secure, establishing a safe environment for online transactions without being onerous for consumers. Firms who have made cyber security solutions a core business are also particularly well positioned to take advantage of the strong demand for IT security products and services – constantly innovating to stay ahead of the curve and developing marketable cyber security solutions.
19. A business’ cyber security posture will also determine the talent that it can attract: CISCO’s Annual Security Report 2014 estimates that the industry is short of more than a million security professionals across the globe. The demand for talent is no less real in Singapore, and the firms with the best cyber security environment will attract the necessary talent, who in turn will further stretch their cyber advantage. Cyber security can become a make-or-break issue for C-suite executives: as a critical domain, it gives CIOs the opportunity to engage and influence across business domains, and to lead major changes throughout the organisation.
20. The Internet and Information technology are increasingly important to the success of our economy, to the future of businesses, big and small, and to the security of jobs. In parallel, cyber threats are constantly evolving and security measures must strive to keep pace, if possible outpace, hacker technology. Cyber security must therefore have the attention and endorsement of top management, not just relying on third party contractors or the IT department to protect valuable information assets. When all parties – Government, businesses and the community at large – work hand in hand to enhance cyber security measures and minimise vulnerabilities, we will be well-placed in our efforts to build a more robust and resilient Singapore.
21. I look forward to your strong support for, and involvement, in this important national endeavour. Thank you.
1 Source: IDA’s annual survey on infocomm usage by enterprises 2013
2 Verizon’s 2014 data breach investigation report: http://www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf
3 Source: Symantec Internet Security Threat Report 2014
4SPF’s annual crime brief http://www.police.gov.sg/img/stats/crimebrief2013.pdf
5 Source: IDA’s annual survey on infocomm usage by enterprises 2013. http://www.ida.gov.sg/~/media/Files/Infocomm%20Landscape/Facts%20and%20Figures/SurveyReport/2013/InfocommUsage_Survey%202013%20public%20report.pdf
6 Source: PwC’s Global State of Information Security Survey 2014. http://www.pwc.com/gx/en/consulting-services/information-security-survey/key-findings.jhtml